What is the basic architecture of EAP?
Extensible Authentication Protocol (EAP):
- Supplicant
- Authenticator
- EAP server
How is an EAP message structured?
- 8 bit code - request, response, success, failure
- 8 bit identifier
- 16 bit length
- n bit data
How does EAP-TLS work?
- Uses TLS 1.3
Handshake:
- Server initiates EAP-TLS
- Supplicant sends “Client Hello” with supported algorithms, Client-DH and Client Rand
- Server computes Master Secret
- Server sends “Server Hello” with selected algorithms, server-DH, server rand + encrypted and integrity protected: Certificate Request, Server Certificate, Certificate verify, Finished
- Client checks Certificate Verify with Server Certificate
- Client computes Master Secret
- Client sends encrypted and integrity protected: Client certificate, Client verify, Finished
- Server checks Client verify with Client certificate
What is EAP-TTLS? How can it be attacked?
- EAP-TLS with server authentication only
- Client is authenticated after handshake and is protected with generated keys (e.g. password based (PAP))
On EAP-TTLS with Pap:
Evil Twin with fake certificate:
- If MD doesnt check certificate or attacker has an certificate from the same root certificate
- Attacker obtains username/ password
How does EAP-TTLS with MSChapv2 work?
- Client and server compute challenge in TLS handshake
- Client computes response with password and sends response and peer challenge to TTLS Server
- TTLS verifies response and forwards peer challenge to AAA-server
- AAA-server replies with peer-response using stored password
Why is a EMSK needed in EAP?
EAP re-authentication:
- Large Network with roaming (e.g. eduroam) have multiple networks with local EAP server and a home EAP server.
- Local EAP server acts as a proxy
- To avoid re-authentication with home EAP server EMSK is saved on local EAP server
- Used to derive future MSKs
How is EAP re-authentication done?
- Home EAP server provides local EAP server with Domain-Specific Root Key (DSRK) based of Extenden MSK (EMSK)
- Local EAP server derives Domain-Specific re-authentication Root Key (DS-rRK). It then can derive rMSK for re-authentication
- Supplicant initiates EAP re-authentication with re-authentication Integrity Key
- Local server derives rMSK and sends in EAP finish
-
Chapter 1- Introduction3
-
Chapter 2 - GSM19
-
Chapter 3 - UMTS18
-
Chapter 4 - LTE16
-
Chapter 5 - 5G9
-
Chapter 6 - WLAN29
-
Chapter 7 - EAP7
-
Chapter 8 - Bluetooth22
-
Chapter 9 - Example for an Algebraic Attack on a Symmetric Stream Cipher2
-
Chapter 10 - CBC Mode padding oracle4
-
Chapter 11 - Bleichenbacher and Return of the Bleichenbacher Oracle Threat1
-
Chapter 12 - Practical Problems with DH3
-
Chapter 13 - Routing Security3
